Hi,
I'm finding that access tokens and refresh tokens are being invalidated after the
setting in the "SSO Session Idle Timeout" has elapsed for the direct-grant API.
Considering the direct-grant API enables browser-less application-to-application security,
I'm not convinced that this is the right approach for many use cases. For reliable
authorization and access token validation, it basically requires setting the "SSO
Session Idle Timeout" to the value of the Access Token timeout, which for many use
cases will be measured in hours or even days.
Is there a good reason that "SSO Session Idle Timeout" should even be considered
for direct-grants?
Thanks,
John
Show replies by date